Month: November 2018

December is just around the corner but before that here’s monthly notes for November. More about leadership and stories, something about software development.

Issue 35, 13.11.2018

Frontend

CSS and Network Performance
What are best network performance practices when it comes to loading CSS? How can we get to Start Render most quickly? Good article of how your page will only render as quickly as your slowest stylesheet. And what to do about it. tl;dr; “Lazyload any CSS not needed for Start Render”, “Avoid @import”, “Be wary of synchronous CSS and JavaScript order”, “Load CSS as the DOM needs it”. (from @csswizardy)

Bash-it
Bash-it is a collection of community Bash commands and scripts for Bash 3.2+. (And a shameless ripoff of oh-my-zsh?). Includes autocompletion, themes, aliases, custom functions, a few stolen pieces from Steve Losh, and more.

Leadership

Managing with the Brain in Mind
“Treat people fairly, draw people together to solve problems, promote entrepreneurship and autonomy, foster certainty wherever possible, and find ways to raise the perceived status of everyone”. Good read about SCARF. (from @walokra)

On Being A Senior Engineer
What makes for a good senior engineer? tl;dr; Be mature engineer. Good read for everyone regardless of the line of business.

Seek out constructive criticism of their designs.

Understand the non-technical areas of how they are perceived.

Do not shy away from making estimates, and are always trying to get better at it.

Have an innate sense of anticipation, even if they don’t know they do.

Understand that not all of their projects are filled with rockstar-on-stage work.

Something different

You work to live, not live to work
Remember, your job is not your life. You work to live, not live to work. Work on what makes you happy and not burn yourself out. Thread has good tips to recognize it and take control. (from @jevakallio)

Have you ever wondered how to become a bug bounty hunter or wanted to organize a bug bounty program? OWASP Helsinki chapter meeting number 35 told all about bug bounty programs from hacker and organizer point of views. The event was held 6.11.2018 at Second Nature Security (2NS) premises in Keilaniemi. Here’s my short notes.

Notes from OWASP Helsinki chapter meeting #35

“Hunting for bounties in a web browser” by Juho Nurminen from 2NS started the event talks and told about how to approach the issue and showed some findings in details. For the usual of understanding the technology and focusing on what you know, it’s beneficial to read up prior art. Is it repeatable bug? Reproduce it in other context. The talk presented cve-2018-6033 (extension code can execute downloaded files), cve-2018-6039 (XSS in DevTools, privileged API can be overwritten) and cve-2011-2800 (data leak across origins). tl;dr; pwn things, submit crbug.com, profit.

In “How to become a bug bounty hunter” Iiro Uusitalo from Solita talked about bug bounty platforms and tips to be succesful. In short: POC or GTFO, recon, stay on scope, automate all the things, focus, report, wait, profit, join the community.

“Running a successful bug bounty program” by Thomas Malmberg from Hackrfi bug bounty program covered the topic from the “random dude from the other side of the table” point of view. “What really matters is finding bugs” but there’s a lot of things to manage. It comes to managing expectations of hackers and program owners. And remembering that hackers work for you (program owners) but they are not your employees.

Expectation management

“What really matters is finding bugs.” @tsmalmbe from @hackrfi told how to run a successful bug bounty program at @OWASPHelsinki meetup. Managing expectations of hackers and program owners. Remember: hackers work for you; hackers are not your employees. #OWASPHelsinki” – @walokra

The evening ended with a panel & discussion about bug bounty with Juho, Iiro and Thomas. There was lots of interesting questions asked and here’s some of them in short.

Hardware bug bounties, how to do if device not publicly available?

On premises hack days -> not so successful, too little time, concentrate on low hanging fruits.

How to choose [bug bounty] program?

Wide scope -> low hanging fruits.

What kind of reports of findings

OWASP Top 10 covers almost everything.

Everyone is scared of finding remote code execution.

Business impact findings.

Recon: who we are, what we do -> what has big business impact. Also where’s the legacy code?

Impact of how hacker and product owner sees findings? Owner will set the impact, how it should happen at both ends? how to define the final impact corresponding the value?

Always estimate, run some CVSS estimator.

Use Google’s approach.

Fairness and trust. Programs task is to create trust.

Awfraid of reporting found bugs when there’s no bug bounty program?

Program has rules which covers legal matters. Read the rules, ask.

Top 3 negative things?

Program runner went public, lots of bugs, hackers pwned whole system.

Communication issues.

Program runner: call on Friday night, database lost. bug bounty program to blame.